Detecting a spoofed call

ABSTRACT

A system can be operable to receive a call from a communication device and identify whether the call is a spoofed based on, for example, whether a caller party user equipment associated with a caller identification number (caller ID number) is in an “idle” status, whether there are inconsistencies in the geographic location associated with a calling party&#39;s network and the geographic location determined to be associated with the caller ID number presented, and whether the phone number presented as the caller ID number is registered with a calling party&#39;s network.

TECHNICAL FIELD

The present application relates generally to the field of privacy, and,for example, to detecting a spoofed call.

BACKGROUND

In today's busy world, receiving calls at inconvenient times can be veryannoying, especially if a called party is not interested in the subjectmatter to which the calls relate, or if the called party receivesrepeated calls at inopportune times. There has been an increase in thenumber of automated calls (e.g., robocalls), which can be vexatious, oreven fraudulent, in which many calls are automatically directed tocalled parties by an automated dialer (e.g., robocaller, robotic caller,robocall device, robotic calling device), which typically plays apre-recorded message for the called parties. Additionally, there aremany ways to mask a robocall as a legitimate call by “spoofing” theoriginating number, such that the automated call appears to a blockingsystem, as well as called party identities, as coming from a legitimatecaller or legitimate source.

There has been some effort to reduce and even limit such calls byenforcing the laws in which called parties on a “do not call” list arenot be called. However, most of these automated calls do not evenoriginate from the United States. There are large call centers in remotecorners of the world where U.S. laws are inapplicable, or the callingparties simply ignore the applicable laws. Additionally, there have beenincidences in which robocall systems have been used maliciously toperpetrate fraudulent transactions. According to the federalcommunications commission (FCC), it received more than 214,000complaints about unwanted calls in 2014.

BRIEF DESCRIPTION OF THE DRAWINGS

Non-limiting and non-exhaustive embodiments of the subject disclosureare described with reference to the following figures, wherein likereference numerals refer to like parts throughout the various viewsunless otherwise specified.

FIG. 1 is a diagram illustrating an example system and networkingenvironment for accessing on-line services and products.

FIG. 2 is a diagram illustrating an example system and networkingenvironment in which an automated dialer calls multiple user equipment.

FIG. 3 is a diagram illustrating transactions between an exampleautomated dialer and a called party user equipment.

FIG. 4 is a flow chart illustrating an example of a called party'stypical experience interacting with an automated dialer.

FIG. 5 is a diagram that illustrates a system in which automated dialeris connected to a called party user equipment via a calling party'snetwork and a called party's network.

FIG. 6 is a diagram illustrating an example of a legitimate call,wherein the status of the line of a calling party user equipment isoff-hook, or busy.

FIG. 7 is a diagram illustrating an example of a spoofed call, whereinthe status of the line of a calling party user equipment is idle.

FIG. 8 illustrates an example spoofing detector that determines whethera UE associated with a legitimate party identity is “idle” when a callpurports to originate from that UE.

FIG. 9 illustrates an example spoofing detector that determines whetherthe geographical area associated with a calling party's network isconsistent with a caller ID number's geographic location, in accordancewith various aspects and embodiments of the subject disclosure.

FIG. 10 illustrates an example spoofing detector that determines whethera caller ID number is registered with calling party's network, inaccordance with various aspects and embodiments of the subjectdisclosure.

FIG. 11 illustrates a flow diagram of an example spoofing detectionoperation, in accordance with various aspects and embodiments of thesubject disclosure.

FIG. 12 illustrates another flow diagram of an example spoofingdetection operation that can be performed, in accordance with variousaspects and embodiments of the subject disclosure.

FIG. 13 illustrates an example of an operation related to the detectionof spoofed calls, in accordance with various aspects and embodiments ofthe subject disclosure.

FIG. 14 illustrates a block diagram of an example computer that can beoperable to execute processes and methods in accordance with variousaspects and embodiments of the subject disclosure.

FIG. 15 illustrates a block diagram of an example mobile device that canbe operable to execute processes and methods in accordance with variousaspects and embodiments of the subject disclosure.

DETAILED DESCRIPTION

The subject disclosure is now described with reference to the drawings,wherein like reference numerals are used to refer to like elementsthroughout. The following description and the annexed drawings set forthin detail certain illustrative aspects of the subject matter. However,these aspects are indicative of but a few of the various ways in whichthe principles of the subject matter can be employed. Other aspects,advantages, and novel features of the disclosed subject matter willbecome apparent from the following detailed description when consideredin conjunction with the provided drawings. In the following description,for purposes of explanation, numerous specific details are set forth toprovide a more thorough understanding of the subject disclosure. Itmight be evident, however, that the subject disclosure can be practicedwithout these specific details. In other instances, well-knownstructures and devices are shown in block diagram form to facilitatedescribing the subject disclosure.

The subject disclosure of the present application describes systems andmethods (comprising example computer processing systems,computer-implemented methods, apparatus, computer program products,etc.) for processing a call. The methods (e.g., processes and logicflows) described in this specification can be performed by devicescomprising programmable processors that execute machine-executableinstructions to facilitate performance of the operations describedherein. Examples of such devices are described in the figures herein andcan comprise circuitry and components as described in FIG. 14 and FIG.15. Example embodiments and components can take the form of an entirelyhardware embodiment, an entirely software embodiment, or an embodimentcombining software and hardware aspects.

Example embodiments are described below with reference to block diagramsand flowchart illustrations of methods, apparatuses, and computerprogram products. Steps of the block diagrams and flowchartillustrations support combinations of mechanisms for performing thespecified functions, combinations of steps for performing the specifiedfunctions, and program instructions for performing the specifiedfunctions. Example embodiments may take the form of web, mobile,wearable computer-implemented, computer software. It should beunderstood that each step of the block diagrams and flowchartillustrations, combinations of steps in the block diagrams and flowchartillustrations, or any functions, methods, and processes describedherein, can be implemented by a computer executing computer programinstructions. These computer program instructions may be loaded onto ageneral-purpose computer, special purpose computer, combinations ofspecial purpose hardware and other hardware, or other programmable dataprocessing apparatus. Example embodiments may take the form of acomputer program product stored on a machine-readable storage mediumcomprising executable instructions (e.g., software) that, when executedby a processor, facilitate performance of operations described herein.Any suitable machine-readable storage medium may be utilized including,for example, hard disks, compact disks, DVDs, optical data stores,and/or magnetic data stores.

The present application describes systems and methods relating to aspoofing detector (e.g., spoofing detector 810) comprising one or moreprocessors and one or more memories that can store executableinstructions that, when executed by a processor, facilitate performanceof identifying, authenticating, and processing automated calls, whereinthe executable instructions can be comprised of one or more softwaremodules.

FIG. 1 is a diagram illustrating an example of system 100 in which auser equipment can access on-line services provided through one or moreserver devices having access to one or more data stores, or can makephone calls from a device owned by a calling party identity to a deviceowned by a called party identity. The system 100 can comprise one ormore communications networks (e.g., communication network 110, and asmentioned below, can comprise a calling party's network 510 and a calledparty's network 520), one or more servers 120, one or more data stores130 (each of which can contain one or more databases of information),and one or more user equipment (“UE”) 140 _(1-N). The servers 120 anduser equipment 140, which can be computing devices as described in FIG.14 and FIG. 15, can execute software modules that can facilitate variousfunctions, methods, and processes described herein.

In example embodiments, the one or more communications networks can beoperable to facilitate communication between the server(s) 120, datastore(s) 130, and UEs 140. The one or more networks (e.g., communicationnetwork 110) may include any of a variety of types of wired or wirelesscomputer networks such as a cellular network, private branch exchange(PBX), private intranet, public switched telephone network (PSTN), plainold telephone service (POTS), satellite network, WiMax, data over cablenetwork (e.g., operating under one or more data over cable serviceinterface specification (DOCSIS)), or any other type of computer orcommunications network. The communications networks can also comprise,for example, a local area network (LAN), such as an office or Wi-Finetwork.

Referring to FIG. 1, the communication network 110 can be a cellularnetwork employing various cellular technologies and modulation schemesto facilitate wireless radio communications between devices. Forexample, communication network 110 can operate in accordance with aUMTS, long term evolution (LTE), high speed packet access (HSPA), codedivision multiple access (CDMA), time division multiple access (TDMA),frequency division multiple access (FDMA), multi-carrier code divisionmultiple access (MC-CDMA), single-carrier code division multiple access(SC-CDMA), single-carrier FDMA (SC-FDMA), orthogonal frequency divisionmultiplexing (OFDM), discrete Fourier transform spread OFDM (DFT-spreadOFDM) single carrier FDMA (SC-FDMA), filter bank based multi-carrier(FBMC), zero tail DFT-spread-OFDM (ZT DFT-s-OFDM), generalized frequencydivision multiplexing (GFDM), fixed mobile convergence (FMC), universalfixed mobile convergence (UFMC), unique word OFDM (UW-OFDM), unique wordDFT-spread OFDM (UW DFT-Spread-OFDM), cyclic prefix OFDM CP-OFDM,resource-block-filtered OFDM, and citizens broadband radio system(CBRS). However, various features and functionalities of system 100 areparticularly described wherein the devices (e.g., the UEs 102 and thenetwork device 104) of system 100 are configured to communicate throughwireless signals using one or more multi-carrier modulation schemes,wherein data symbols can be transmitted simultaneously over multiplefrequency subcarriers.

In example embodiments, communication network 110 can be configured toprovide and employ 5G wireless networking features and functionalities.5G wireless communication networks are expected to fulfill the demand ofexponentially increasing data traffic and to allow people and machinesto enjoy gigabit data rates with significantly reduced latency. Comparedto 4G, 5G can support more diverse traffic scenarios. For example, inaddition to the various types of data communication between conventionalUEs (e.g., phones, smartphones, tablets, PCs, televisions, internetenabled televisions, etc.) supported by 4G networks, 5G networks can beemployed to support data communication between smart cars in associationwith driverless car environments, “internet of things” (IoT) devices, aswell as machine type communications (MTCs). Considering the drasticallydifferent communication resources of these different traffic scenarios,the ability to dynamically configure waveform parameters based ontraffic scenarios while retaining the benefits of multi-carriermodulation schemes (e.g., OFDM and related schemes) can provide asignificant contribution to the high speed/capacity and low latencydemands of 5G networks. With waveforms that split the bandwidth intoseveral sub-bands, different types of services can be accommodated indifferent sub-bands with the most suitable waveform and numerology,leading to improved spectrum utilization for 5G networks.

To meet the demand for data centric applications, features of proposed5G networks can comprise: increased peak bit rate (e.g., 20 Gbps),larger data volume per unit area (e.g., high system spectralefficiency—for example about 3.5 times that of spectral efficiency oflong term evolution (LTE) systems), high capacity that allows moredevice connectivity both concurrently and instantaneously, lowerbattery/power consumption (which reduces energy and consumption costs),better connectivity regardless of the geographic region in which a useris located, a larger numbers of devices, lower infrastructuraldevelopment costs, and higher reliability of the communications. Thus,5G networks can allow for: data rates of several tens of megabits persecond should be supported for tens of thousands of users, 1 gigabit persecond to be offered simultaneously to tens of workers on the sameoffice floor, for example; several hundreds of thousands of simultaneousconnections to be supported for massive sensor deployments; improvedcoverage, enhanced signaling efficiency; reduced latency compared toLTE.

The upcoming 5G access network can utilize higher frequencies (e.g., >6GHz) to aid in increasing capacity. Currently, much of the millimeterwave (mmWave) spectrum, the band of spectrum between 30 GHz and 300 GHzis underutilized. The millimeter waves have shorter wavelengths thatrange from 10 millimeters to 1 millimeter, and these mmWave signalsexperience severe path loss, penetration loss, and fading. The upcoming5G access network can also employ an architecture in which a user planeand control plane are separate, wherein complex control plane functionsare abstracted from forwarding elements, simplifying user planeoperations by relocating control logic to physical or virtual servers.

Still referring to FIG. 1, the communication network 110 can comprise afixed-packet network. The fixed packet network can be a broadbandnetwork using internet protocol (IP) to deliver video, voice, and data.An example of such a network is a cable television (CATV) infrastructureimplementing the data over cable service interface specification(DOCSIS) and PacketCable standards, which allow a multiple serviceoperator (MSO) to offer both high-speed internet and voice over internetprotocol (VoIP) through an MSO's cable infrastructure. In someimplementations, the fixed packet network can have headend equipmentsuch as a cable modem termination system (CMTS) that communicatesthrough one or more hybrid fiber coax (HFC) networks with user premisesequipment such as a cable modem or embedded multimedia terminal adapter(EMTA) (see below). The fixed packet network can also comprise networksusing asynchronous transfer mode (ATM), digital subscriber line (DSL),or asymmetric digital subscriber line (ADSL) technology. These networkshave typically been provided by telephone companies. ATM and DSL/ADSLequipment can be located at an exchange or central office, and caninclude integrated DSL/ATM switches, multiplexers such as digitalsubscriber line access multiplexers (DSLAMS), and broadband remoteaccess servers (B-RAS), all of which can contribute to the aggregationof communications from user equipment onto a high-capacity uplink (ATMor Gigabit Ethernet backhaul) to internet service providers (ISPs).Transmission media connecting the central office and user equipment caninclude both twisted pair and fiber.

The communication network 110 can also comprise a one or more satellitenetworks, which can enable the exchange of voice, data, and video. Inaddition to television programming services, satellite networks, such asa DBS (Direct Broadcast Satellite) system, operated by DBS broadcastsatellite providers (e.g., Dish Networks, DIRECTV, HughesNet), can beoperable to enable high speed internet and voice services.

The communication network 110 can also comprise a POTS network thatsupports the delivery of voice services employing analog signaltransmission over copper loops.

Referring to FIG. 1, servers 120 can be operable to send viacommunication network 110 executable code capable of generatinggraphical user interfaces (GUIs) that a user identity can interact withto facilitate the provision of such on-line data, or voice services. TheGUIs can be, for example, a webpage that can be displayed (andinteracted with) on a user equipment 140. Modules comprising executableinstructions that, when executed by a processor of the server 120,facilitate performance of operations, such as the exchange of data orthe exchange of voice (e.g., a soft phone), can be stored on a memorydevice of the server 120 (or a memory device connected to the server120).

The data stores 130 can comprise physical media for storing information,housed within the one or more servers 120, peripherally connected to theone or more servers, or connected to the servers 120 through one or morenetworks. For example, the storage device can be connected to theprocessor of a server, via, for example, a communications medium such asa bus (e.g., SATA, eSATA, SCSI, flash, or the like). As another example,data stores 130 can be peripheral devices, set up as a redundant arrayof independent disks (RAID) array, a storage area network (SAN), ornetwork attached storage (NAS). The data stores can comprise magneticmemory, such as a hard drive or a semiconductor memory, such as RandomAccess Memory (RAM), Dynamic RAM (DRAM), non-volatile computer memory,flash memory, or the like. The memory can include operating system,administrative, and database program modules that support the methodsand programs disclosed in this application.

Referring to FIG. 1, user equipment 140 can be, for example, a tabletcomputer, a desktop computer, or laptop computer, a cellular enabledlaptop (e.g., comprising a broadband adapter), a handheld computingdevice, a mobile phone, a telephone, a smartphone, a tablet computer, awearable device, a virtual reality (VR) device, a heads-up display (HUD)device, an IoT device, and the like.

In example embodiments, a customer premises equipment (CPE) 150 canprovide access for the UE (e.g., UE 1402) to the one or more networks(e.g., communication network 110). The CPE 150 can comprise a broadbandaccess modem (e.g., cable modem, DSL modem, Wi-MAX modem, satellitemodem). The CPE 150 can also comprise a gateway device (also referred toas a residential gateway, home gateway, set top gateway) that processesvideo, voice packets, and data packets and serves as a broadbandconnectivity point for various devices (e.g., video set-top boxes,computers, mobile devices, telephones). The UE (e.g., UE 1402) can beconnected to the CPE device via, for example, an Ethernet interface, ora wireless access point device (which can be embedded within the CPEdevice, or connected to the CPE device as a peripheral device), whichcan operate in accordance with the IEEE 802.11 family of standards.

For voice services, a computer (or computing device) connected to acommunication network 110 that executes VoIP software can allow forvoice calls to be made via a computer application (i.e., a “softphone”such as that offered by Skype). The VoIP software can be provided by oneor more servers 120. Additionally, the CPE 150 can be embedded with aVoIP adapter, through which a telephone 1403 can connect (e.g., via anRJ-11 phone jack) and make voice calls. Examples of such devices thatsupport voice and data communications are referred to as a telephonymodems, embedded multimedia terminal adapters (EMTAs), digital voicemodems, voice data modems, voice and internet modems, and the like. Inother embodiments, a VoIP adapter can be peripheral to the broadbandmodem, and the telephone can connect to that VoIP adapter (e.g., anadapter provided by Vonage, Ooma, etc.). In other embodiments, a VoIPadapter can be connected to a computer, for example, via its universalserial bus (USB) port (e.g. an adapter provided by magicJack).

Referring to FIG. 1, a UE 1404 can be a mobile device used to make andaccept voice calls, including a cellular phone, as well as a tablet witha cellular adapter. The mobile device can be operative to make voicecalls through the communication network 110 to other communicationdevices. Further details describing a mobile device are described belowin FIG. 14 below.

The UE 140 can also be a POTS telephone 140 s connected to thecommunication network 110.

FIG. 2 is a diagram that illustrates an example networking environmentin which a typical automated dialer 210 can be operable to initiateautomated calls (e.g., robocalls). Typically, an automated dialer 210(also referred to as an automated dialer system, automated callingsystem, robocaller, or predictive dialer) is used in business toconsumer (B2C) applications, and can be one or more computers operableto run modules that, when executed, automatically makes voice calls,which can be made simultaneously or in rapid succession, to a pluralityof call destinations. The automated dialer 210 can be for example, a UEhaving a broadband connection and operable to make VoIP calls (e.g., UE1402), and the modules can be locally stored or provided by one or moreservers (e.g., servers 120). The automated dialer 210 can make voicecalls to called party UEs 220 _(1-N), which can be one or more UEs 140(e.g., a cellular phone, a VoIP phone, a POTS phone, etc.) that areoperable to answer voice calls. After connection with a called party UE220 (one of the plurality of called party UEs 220 _(1-N)) the automateddialer 210 plays a pre-recorded message to either the called partyidentity, or a voicemail system if the called party identity does notanswer. A large majority of robocalls originate through a VoIP network.Example vendors of automated dialers and predictive dialers can includeVoice2Phone, VoiceShot, Voicent, CallFire and Five9.

Intercepting and blocking unwanted automated calls can be a challenge,in large part because some of these calls are actual public serviceannouncements, such as from the weather service, school system, publicsafety departments, etc. In other example use cases, largeorganizations, for example a large religious congregation, might userobocalls as an effective way to distribute pre-recorded messages. Thus,not every robocall is necessarily fraudulent, vexatious, orillegitimate.

In FIG. 3, a typical automated dialer 210 (e.g., robocalling device)operated by telemarketing identities, can at transaction (1) receiveautomated dialer inputs. An automated dialer input can comprise aplurality of target phone numbers corresponding to called party UEs(e.g., UEs 220 _(1-N)). The phone numbers might have been collected fromcalled party identities, who might have provided their phone numbers inresponse to surveys, purchases, etc. A typical automated dialer 210allows input of phone numbers manually, as well by uploading aspreadsheet, or some other type of file, having the phone numbers. Anautomated dialer input can also comprise a pre-recorded message (e.g.,an audio file) which can be input by uploading or otherwise transferringthe file to the automated dialer 210. The pre-recorded message is playedby the automated dialer 210 when the automated call is answered by thecalled party UE 220 (or its answering service).

At transaction (2) of FIG. 3, the automated dialer 210 can make amultitude of voice calls directed at called party UEs 220 _(1-N). Forillustrative purposes, only one called party UE 220 is shown. Theautomated dialer 210, with its own spoofing module, or through a callerID spoofing system 310 provided by another server, can be operable totransmit a “spoofed” number with the call that replaces the originatingnumber of the automated dialer. The spoofed number would show up on acaller ID display. Thus, each call would have associated with it thespoofed caller ID number that was entered at transaction (1). The resultis that a number that the marketing identity wants to appear on a calledparty UE 220's caller ID display, instead of the originating number ofthe automated call (e.g., number of the calling party), and be entered.The likelihood that an automated call is vexatious, malicious, orfraudulent is extremely high when the calling party is spoofing itsnumber. Many telemarketers (and in some instances, fraudulent companies)are now taking advantage of VoIP, SIP (session-initiated protocol), andnetwork redirection services to make calls using fraudulently obtained(or obtained without authorization) phone numbers to use as a spoofedcaller ID number. These obtained numbers might be legitimate numbers(e.g., actual phone numbers) belonging to a third-party identity. Theautomated dialer 210 can thus mask robocalls as a legitimate call byspoofing the originating number, such that the robocall appears to acall blocking system, caller ID devices, as well as called partyidentities' devices (e.g., called party UE 220), as coming from thelegitimate third-party identity. This tactic has the purpose ofencouraging the called party to answer the call as it appears to be froma legitimate caller, instead of a telemarketer or fraudulent caller. Itmasks the calling party's true phone number to prevent tagging,blocking, or other activities that could reduce the robocalling device'sopportunity to connect the call with the called party. Spoofing a calland using another third party's number (e.g., “spoofed victim”) though,also can have the consequence of potentially redirecting negativeresponses back from the called party to a third party whose number wasspoofed (“e.g., spoofed victim”), instead of complaints being directedto the actual calling party that is associated with the robocallingdevice (e.g., automated dialer 210).

In an example case, an automated dialer 210 might direct a call to acalled party identity (e.g., “Victim #1). An automated dialer 210changes the caller ID associated with the call to a phone number not isnot the actual number of the automated dialer 210 (e.g., 770-555-0002),which is the phone number of the spoofed party (e.g., “Victim #2”) inthe expectation that Victim #1 will answer the phone at a higherpercentage rate since the caller ID number provided, that of Victim #2,appears to be a valid call and not a robocall. If the phone call isanswered by Victim #1, and the content perceived as either vexatious orfraudulent, Victim #1 may report the call, or call back using theidentified caller ID number, which would connect Victim #1 with Victim#2, as opposed to the robocaller. Victim #2 might otherwise be unawarethat the automated dialer utilized their # on the caller ID. In someinstances, there have been calls in which the caller ID number isactually the same as the Victim's own phone number. Additionally, acaller ID spoofing system 310 can randomize the caller ID numbers sothat no one number can be blocked or reported by a Victim.

The calls that are made by the auto-dialer can be directed to phonenumbers input into the automated dialer 210 at transaction (1), as wellas numbers selected by a predictive dialer, which can include numbers ina sequence (dialing numbers in sequential order), a block, or a range.Certain blocks of phone numbers are meant for certain businesses (forexample, a block of numbers can be reserved for hospitals), and as such,numbers in particular blocks might be targeted by automated dialers.Numbers in a range are like numbers that are sequentially dialed, butare certain ranges of numbers within a sequence. Automated dialers cansometimes use ranges of numbers to avoid sequence dialing detectingalgorithms that attempt to block automated calls (e.g., calling 0000 to0500 might trigger an alert, but selecting a range of numbers withinthat sequence might avoid detection). Another characteristic ofautomated calls might be that the calls were dialed simultaneously, orin rapid succession with a short time-frame between each call (e.g., nopauses, or no significant pauses between calls).

At transaction (3), when a called party UE 220 is dialed, a caller IDservice might display the number to the called party identity via thecalled party UE 220's GUI. If an automated call contained a spoofednumber, the spoofed number might appear on the caller ID service (orcaller ID device).

A typical automated dialer 210 can be further operative to, in responseto a called party identity answering an automated call, connect thecalled party UE 220 with a qualifier, wherein the qualifier might be aninteractive voice response system (IVR) that prompts the called partyidentity to select or enter information. If certain information enteredby the called party to the qualifier indicates that the called partyidentity's profile matches a profile of the marketing identity's targetaudience, the automated dialer 210 can be operative to connect thecalled party UE 220 with a sales agent.

FIG. 4 illustrates a typical response and experience of a user identityto an automated call. At step 405, the called party identity might haveresponded to a survey, signed up for an event, filled out an on-lineapplication, or gave approval for a particular service or application toaccess his or her contact information, wherein the contact informationcomprises the called party identity's phone number. The called partyidentity's phone number might eventually wind up on a marketing entity'sphone list.

At step 410, the called party identity might receive a phone call (e.g.,an incoming call) on his or her phone (e.g., called party UE 220). Ifthe phone is operable to display caller ID information, the callingparty's number and name might show up on the caller ID display. However,this number and information might be a spoofed number and spoofed name.The number might have, for example, an area code that is the same as thearea code of the called party identity's phone number, such that thecalled party identity might believe that the calling party is a localidentity, such as a nearby friend or neighbor, thereby increasing theprobability that the called party identity will answer the automatedcall.

At step 415, the called party identity can decide whether to answer thecall. In response to the user not taking the call, at step 420 the callmight be directed to the called party identity's voice mail, in whichcase the automated dialer 210 plays the prerecorded message related tothe subject matter of the sales call.

At step 425, if the called party identity answers the call, theautomated dialer 210 plays a prerecorded message briefly describing thegoods or services being sold, and then prompts the called party identityto either push a button to speak to a representative or push a button tobe removed from the marketer's phone list.

At step 430, in response to a called party identity's selection to beremoved from the telemarketer's phone list, the called party identity'sselection will most likely be ignored. If the called party entity atstep 435 decides to hang up (e.g., end the call), the called party mightstill get more automated calls in the future. If the called partyidentity responds by indicating a desire to speak with a representative,the automated dialer 210 might at step 440 connect the user with aqualifier, which can prompt the called party identity to select or enterinformation. If certain information entered indicates that the calledparty identity's profile matches a profile of the marketing identity'starget audience, the called party identity at step 450 is transferred toa sales agent. If the called party identity's profile does not match,then at step 455 the automated dialer 210 can inform the called partyidentity that his or her profile does not qualify them for the offer,and then disconnect. After disconnection, as was the case at step 435,the called party identity might still get another automated call in thefuture. As such, with automated calls, the experience of a called partyidentity can range from being annoyed, to being angry and frustrated.

In example embodiments of the present application described herein, aspoofed call detection system (e.g., spoofing detector) comprising oneor more processors and one or more memories that can store executableinstructions (e.g., software) that, when executed by a processor,facilitate performance of determining whether a call directed to acalled party has been spoofed, wherein the executable instructions canbe comprised of one or more software modules. The spoofing detector canbe implemented as a network device, which can comprise one or moreservers, one or more data stores, or even within a communicationsswitch. The spoofing detector can comprise, for example, a switch, aserver, a computer, etc. residing in the communication network 110,executing software to perform the operations described herein. Regardingthe operations, the system can determine whether the originating numberis a number that has been spoofed.

Phone numbers are serviced, or “owned,” by one or more phone networks.As an example, as shown in FIG. 5, a calling party device, which can beautomated dialer 210, might be serviced by, as an example Google Voiceservices, and has a subscriber phone number associated (e.g.,registered) with Google Voice services, and when automated dialer 210make voice calls, it initiates these calls through its originatingnetwork (e.g., calling party's network 510), Google Voice services. Thecall can be routed and connected through, for example, another network(e.g., called party's network 520), which may be, for example, AT&T'snetwork. Thus, in this example, communication network 110 can comprisethe calling party's network 510 and the called party's network 520).There is also the possibility that calls are serviced within the samenetwork (e.g., if a calling party and called party are both serviced byAT&T's network), in which case the calling party and called party areserviced by the same network. Additionally, other intermediary networkscan be included through which a call is routed.

These phone networks implement the actual connectivity to the end userdevice by one or more technologies (e.g., circuit, VoIP, and cellular).These connectivity implementations have defined, industry standard setsof signaling for circuit (and virtual circuit) status. These statusesinclude several states that indicate a receiving line is “off-hook” (or“user busy”), and “idle”. This feature can be used during callconnections to identify calls with potentially fraudulent caller IDs andfilter them from the network.

In the example case of a legitimate phone call, as shown in FIG. 6, acalling party identity 610 uses a calling party UE 620 (e.g., which cancomprise the same type of device as UE 140 _(1-N)) to call to a calledparty UE 220 (which can be one of called party UEs 220 _(1-N), which cancomprise the same type of device as UEs 140 _(1-N) operable to answervoice calls), belonging to a called party identity 630. In thislegitimate call (e.g., there is no spoofing) calling party UE 620 wouldbe in one of the several states that grouped together would indicate itis “off-hook” during the call. Additionally, the calling party'soriginal and actual phone number 770-555-0002 (e.g., the numberassociated with the called party identity 630 and calling party UE 620),would appear on the called party UE 220's caller ID display as770-555-0002 (or some other caller ID display, for example, a peripheralcaller ID device displaying the caller ID).

In a spoofed call scenario, as shown in FIG. 7, a telemarketing entity710 (or, in some cases, a fraudulent identity) directing a robocall to acalled party UE (e.g., called party UE 220) belong to a called partyidentity (e.g., called party identity 630), which we will call Victim#1. The telemarketing entity 710 operates an automated dialer 210 (e.g.,robocalling device), or some other communication device, capable ofmaking a spoofed call (e.g., inserting a spoofed number that would bedisplayed by a caller ID display). It obtains a legitimate party's(Victim #2's) phone number (e.g., the calling party identity 610 fromFIG. 6)—770-555-0002 and uses it to spoof a call made to a calldestination a Victim #1. When a caller ID display associated with thecalled party UE 220 displays the number of the caller, it would displaythe spoofed number—770-555-0002—the number belonging to a Victim #2. Inthis instance, however, Victim #2's UE (e.g., calling party UE 620),because it did not initiate the call to the called party, might have aline status of “idle.” If Victim #2's UE was actually making the call toVictim #1, it would have a line status of “busy” or “off-hook,” as shownin FIG. 6.

FIG. 8 illustrates an example of a spoofed call detection system (e.g.,spoofing detector 810) that facilitates operations comprising thedetermination as to whether a call has been spoofed, and thusfacilitating the identification of automated calls. The operations cancomprise detecting a call from a communication device (which may be,e.g., automated dialer 210) and directed to a call destination (e.g., UE220 associated with called party identity 630, aka Victim #1). Theoperations can further comprise determining whether the call is aspoofed call by determining whether a user equipment (e.g., callingparty UE 620 associated with calling party identity 620, aka, Victim #2)associated with a caller identification number of the call is in an idlestate. Determining whether the user equipment is in the idle state cancomprise transmitting a message to a network device that services theuser equipment, wherein the message is a query to the network device fora state of the user equipment. Transmitting the message can comprisetransmitting the message using a session-initiated protocol (e.g., SIPmessage). The network device can reside in a first service networkoperated by a first service provider entity (e.g., operated by GoogleVoice), and the call destination can be associated with a second servicenetwork operated by a second service provider entity (e.g., AT&T). Thefirst service network can comprise an internet protocol (e.g., IP)network. The operations can further comprise, in response to thedetermining indicating that the user equipment is in the idle state,taking a preventative action relating to the call. The preventativeaction can be, for example, facilitating blocking of the call.

As an illustration of this operation, in the prior example caseillustrated in FIG. 7, it is safe to assume that during a legitimatecall to Victim #1 (e.g., called party identity 630) from Victim #2(e.g., legitimate calling party 610), Victim #2's phone would be in oneof the several states that grouped together would indicate it is“off-hook” during the call. This state is queryable by the spoofingdetector 810. As an example, the spoofing detector 810 can send a querymessage (e.g., using SIP messaging protocol) to network elements (forexample network device(s) 820 residing in the phone network servicingthe device (or devices) to which the number that was submitted as thecaller ID number belongs 830), and one or more of these network elementscan respond to the query by returning the status of the calling party UE620 (or calling party UEs) associated with Victim #2's phone number (inthe case of calling party UEs, sometimes a subscriber might be using acall re-direct service to make a legitimate call using another device—ifthat device is off hook, it might be an indication that the subscriberis making a call). Or, in a more primitive network, the spoofingdetector 810 can facilitate the dialing of the caller ID number (thenumber of Victim #2) to see if it can be connected to. In the case of arobocaller (or fraudulent caller) utilizing Victim #2's number to spoofthe call, if the UE (or UEs) associated with Victim #2's number isverified by the providing network as being “idle,” then the call fromthe automated dialer 210 can be identified as a spoofed call, because ifVictim #2's line status is idle, then it can be assumed that no callsare being made from Victim #2, so someone (or some other device notassociated with UEs of Victim #2) must be making the call. As such, thecall can be identified as either a fraudulent call or a call from arobocaller spoofing the call by presenting Victim #2's number as thecaller ID number associated with the call. Once the call has beenidentified in this manner as being spoofed, preventative measures can beinitiated (e.g., by the spoofing detector 810). For example, the callcan be blocked (prevented from being completed).

In the event that the query of the spoofing detector 810 returns anindication that the line status associated with Victim #2's device(s) is“off-hook” or “busy,” then this is an indication that the placed callmight be (although it is not definitive to be) from legitimate callingparty identity 610. In one aspect, the call can be allowed to proceed.While the case exists where Victim #2's phone is actually in use forsome other reason while the potentially spoofed call is proceeding, thismight be considered an edge case, and would only result in the callproceeding, which is no worse than the situation before spoofingdetection. Of note, where the UEs of Victim #1, and the UE of Victim #2are service by the same service network, for example, the queries can bedirected by the spoofing detector 810 to network elements within thesame service network.

As will be described with respect to FIG. 9 and FIG. 10, other queriescan be initiated either prior to, or subsequent to, the determination ofthe line status of devices associated with a caller ID number associatedwith a placed call.

With regard to FIG. 9, the spoofing detector 810 can initiate otherinvestigations and inquiries as to the legitimacy of the call. Thespoofing detector can, in example embodiments, determine the source ofthe potentially spoofed call. If the call has characteristics oforiginating from a source inconsistent with the source of the numberpresented as the caller ID number, then this inconsistency can be afurther factor in determining whether to block the call. In exampleembodiments, this can involve determining a geographic area associatedwith the first service network associated with the call, determiningwhether the caller identification number is associated with thegeographic area, and, in response to determining that the calleridentification number is not associated with the geographic area,facilitating blocking of the call. For example, if the caller ID numberis presented as 770-555-0002, then it can be determined that the “770”area code is one of metro Atlanta, Ga. If the call bears indicators(e.g., IP address, data elements, etc.) that it is originating from acalling party's network 510 that is associated with, for example, aforeign country, or even a location other than the geographic locationassociated with the caller ID number, then the call can be additionallyconsidered spoofed for based on this inquiry.

Referring now to FIG. 10, in the case where a physical circuit islegitimately being serviced by additional virtual network providers,such as Google, Amazon, and Apple voice services, these services can bealso check/verified via the same network switching protocols. Forexample, as shown in FIG. 9, the spoofing detector 810 can check with acalling party's network (e.g., calling party's network 510) to determinewhether a number presented as a caller ID number is registered with thecalling party's network. The spoofing detector 810 can, for example,query the calling party's network device(s) 910, by sending it a messageasking it to verify whether the number presented as the caller ID numberis registered with the called party's network. Thus, the spoofingdetector 810 can be operable to query the first service network todetermine whether the caller identification number is registered withthe first service network, and in response to determining that thecaller identification number is not registered with the first servicenetwork, facilitate blocking the call.

If, for example, the automated dialer 210 spoofed the call with Victim#2's number (770-555-0002), and Victim #2's number is actually servicedby, for example, Google Voice, while the calling party's network isApple voice, then when the spoofing detector 810 sends a message to theApple Voice network and queries whether 770-555-0002 is registered withits network, the Apple Voice network will return a negative response. Inthis situation, the spoofing detector has determined that the call mustbe spoofed, because if the calling ID number presented was registeredwith Apple Voice, it would have returned a positive acknowledgement.

Of note, where the robocaller, the UEs of Victim #1, and the UE ofVictim #2 are serviced by the same network, for example, the querieswould be directed by the spoofing detector to network elements withinthe same service network.

Referring now to FIG. 11, in example embodiments a device (e.g., aswitch, network device, computer, etc., implemented as spoofing detector810), comprising a processor and a memory (e.g., machine-readablestorage medium (e.g., memory) that stores executable instructions that,when executed by the processor, facilitate performance of operations1100.

The operations 1100 at step 1110 can comprise detecting a call from acommunication device (which may be, e.g., automated dialer 210) anddirected to a call destination (e.g., UE 220 associated with calledparty identity 630, aka Victim #1).

The operations 1100 can further comprise, at step 1120, determiningwhether the call is a spoofed call by determining whether a userequipment (e.g., calling party UE 620 associated with calling partyidentity 620, aka, Victim #2) associated with a caller identificationnumber of the call is in an idle state. Determining whether the userequipment is in the idle state can comprise transmitting a message to anetwork device that services the user equipment, wherein the message isa query to the network device for a state of the user equipment.Transmitting the message can comprise transmitting the message using asession-initiated protocol (e.g., SIP message). The network device canreside in a first service network operated by a first service providerentity (e.g., operated by Google Voice), and the call destination can beassociated with a second service network operated by a second serviceprovider entity (e.g., AT&T). The first service network can comprise aninternet protocol (e.g., IP) network.

The operations 1100 can further comprise, at step 1130, in response tothe determining indicating that the user equipment is in the idle state,taking a preventative action relating to the call. The preventativeaction can be, for example, facilitating blocking of the call.

In addition to taking a preventative action, or instead of taking apreventative action, the operations can also comprise determining ageography associated with the first service network, and based on thegeography, determining whether the caller identification number isassociated with the geography. In response to determining that thecaller identification number is not associated with the geography,facilitating blocking the call.

The operations can further comprise querying the first service networkto determine whether the caller identification number is registered withthe first service network. In response to determining that the calleridentification number is not registered with the first service network,the operations can comprise facilitating blocking the call.

The operations can further comprise allowing the call to connect to thecall destination in response to the call being determined not to be aspoofed call.

Moving on to FIG. 12, in example embodiments, operations performed by anetwork device (e.g., a switch, a server, a computer, etc., implementedas spoofing detector 810) comprising a processor can facilitateperformance of operations as illustrated in flow diagram 1200 of FIG.10. As shown at 1210, the operations can comprise receiving, by anetwork device comprising a processor, a call from a communicationdevice (which may be, e.g., automated dialer 210) directed to a calldestination (e.g., UE 220 associated with called party identity 630, akaVictim #1).

The operations 1200 can further comprise, at step 1220, identifying, bythe network device, whether the call is a spoofed call, wherein theidentifying comprises facilitating transmitting a message to a networkelement that services a user equipment associated with a calleridentification number of the call, wherein the message queries thenetwork element for a state of the user equipment, and receiving aresponse from the network element indicating that the user equipment isin an idle state. The transmitting the message can comprise transmittingthe message using a session-initiated protocol (e.g., SIP). The networkelement can be associated with a first service network operated by afirst service provider entity, and the call destination can beassociated with a second service network operated by a second serviceprovider entity. The first service network can comprise an internetprotocol (e.g., IP) network.

The operations 1200 can comprise, at step 1230, in response to theidentifying indicating the call is the spoofed call, preventing, by thenetwork device, the call from connecting to the call destination.

The operations 1200 can further comprise, determining, by the networkdevice, a geographic area associated with the first service network,determining, by the network device, whether the caller identificationnumber is associated with the geographic area, and, in response todetermining that the caller identification number is not associated withthe geographic area, facilitating, by the network device, blocking ofthe call.

The operations 1200 can further comprise, facilitating, by the networkdevice, querying the first service network to determine whether thecaller identification number is registered with the first servicenetwork. In response to determining that the caller identificationnumber is not registered with the first service network, facilitating,by the network device, blocking of the call.

Referring now to FIG. 13, in example embodiments, there is provided amachine-readable storage medium comprising executable instructions that,when executed by a processor (e.g., processor of spoofing detector 810),facilitate performance of operations 1300.

The operations 1300 can comprise, at step 1310, receiving a call from acommunication device (which might be, e.g., automated dialer 210)directed to a call destination (e.g., UE 230 associated with calledparty identity 630, aka, Victim #1).

The operations 1300 at step 1320 can comprise identifying whether thecall is spoofed call, wherein the identifying comprises (1) determiningwhether the call originates from a first service network consistent witha characteristic determined from a caller identification number of thecall, (2) in response to the determining indicating that the servicenetwork is consistent with the characteristic, transmitting a message(e.g., using SIP protocol)) to a network element of a second servicenetwork that services a user equipment associated with the calleridentification number of the call, wherein the message queries thenetwork element for a status of the user equipment, and (3) receiving aresponse from the network element indicating that the user equipment isin an idle state.

The operations 1300, at step 1330, can comprise, in response toidentifying the call as the spoofed call, facilitating preventing thecall from connecting to the call destination (e.g., blocking the call).

Determining whether the call originates from the first service networkconsistent with the characteristic can comprise determining a geographicarea associated with the first service network, determining whether thecaller identification number is associated with the geographic area,and, in response to determining that the caller identification number isnot associated with the geographic area, facilitating blocking of thecall.

Determining whether the call originates from the first service networkconsistent with the characteristic further can also comprise queryingthe first service network to determine whether the caller identificationnumber is registered with the first service network, and in response todetermining that the caller identification number is not registered withthe first service network, blocking the call.

Referring now to FIG. 14, there is illustrated a block diagram of acomputer 1400 operable to execute the functions and operations performedin the described example embodiments. For example, a user device (e.g.,called party UE 220), or a spoofing detector (e.g., spoofing detector810), can contain components as described in FIG. 14. The computer 1400can provide networking and communication capabilities between a wired orwireless communication network and a server and/or communication device.In order to provide additional context for various aspects thereof, FIG.14 and the following discussion are intended to provide a brief, generaldescription of a suitable computing environment in which the variousaspects of the various embodiments can be implemented to facilitate theestablishment of a transaction between an entity and a third party.While the description above is in the general context ofcomputer-executable instructions that can run on one or more computers,those skilled in the art will recognize that the various embodimentsalso can be implemented in combination with other program modules and/oras a combination of hardware and software.

Generally, program modules include routines, programs, components, datastructures, etc., that perform particular tasks or implement particularabstract data types. Moreover, those skilled in the art will appreciatethat the inventive methods can be practiced with other computer systemconfigurations, comprising single-processor or multiprocessor computersystems, minicomputers, mainframe computers, as well as personalcomputers, hand-held computing devices, microprocessor-based orprogrammable consumer electronics, and the like, each of which can beoperatively coupled to one or more associated devices.

The illustrated aspects of the various embodiments can also be practicedin distributed computing environments where certain tasks are performedby remote processing devices that are linked through a communicationsnetwork. In a distributed computing environment, program modules can belocated in both local and remote memory data stores.

Computing devices typically include a variety of media, which caninclude computer-readable storage media or communications media, whichtwo terms are used herein differently from one another as follows.

Computer-readable storage media can be any available storage media thatcan be accessed by the computer and comprises both volatile andnonvolatile media, removable and non-removable media. By way of example,and not limitation, computer-readable storage media can be implementedin connection with any method or technology for storage of informationsuch as computer-readable instructions, program modules, structureddata, or unstructured data. Computer-readable storage media can include,but are not limited to, RAM, ROM, EEPROM, flash memory or other memorytechnology, CD-ROM, digital versatile disk (DVD) or other optical diskstorage, magnetic cassettes, magnetic tape, magnetic disk storage orother magnetic data stores, or other tangible and/or non-transitorymedia which can be used to store desired information. Computer-readablestorage media can be accessed by one or more local or remote computingdevices, e.g., via access requests, queries or other data retrievalprotocols, for a variety of operations with respect to the informationstored by the medium.

Communications media can embody computer-readable instructions, datastructures, program modules or other structured or unstructured data ina data signal such as a modulated data signal, e.g., a carrier wave orother transport mechanism, and comprises any information delivery ortransport media. The term “modulated data signal” or signals refers to asignal that has one or more of its characteristics set or changed insuch a manner as to encode information in one or more signals. By way ofexample, and not limitation, communication media include wired media,such as a wired network or direct-wired connection, and wireless mediasuch as acoustic, RF, infrared and other wireless media.

With reference to FIG. 14, implementing various aspects described hereinwith regards to the network devices (e.g., server 120, switch, etc.),UEs (e.g., UE 140, called party UE 220), and user premises devices(e.g., user premise device 230) can comprise a computer 1400, thecomputer 1400 comprising a processing unit 1404, a system memory 1406and a system bus 1408. The system bus 1408 couples system componentscomprising the system memory 1406 to the processing unit 1404. Theprocessing unit 1404 can be any of various commercially availableprocessors. Dual microprocessors and other multi-processor architecturescan also be employed as the processing unit 1404.

The system bus 1408 can be any of several types of bus structure thatcan further interconnect to a memory bus (with or without a memorycontroller), a peripheral bus, and a local bus using any of a variety ofcommercially available bus architectures. The system memory 1406comprises read-only memory (ROM) 1427 and random access memory (RAM)1412. A basic input/output system (BIOS) is stored in a non-volatilememory 1427 such as ROM, EPROM, EEPROM, which BIOS contains the basicroutines that help to transfer information between elements within thecomputer 1400, such as during start-up. The RAM 1412 can also include ahigh-speed RAM such as static RAM for caching data.

The computer 1400 further comprises an internal hard disk drive (HDD)1414 (e.g., EIDE, SATA), which internal hard disk drive 1414 can also beconfigured for external use in a suitable chassis (not shown), amagnetic floppy disk drive (FDD) 1416, (e.g., to read from or write to aremovable diskette 1418) and an optical disk drive 1420, (e.g., readinga CD-ROM disk 1422 or, to read from or write to other high capacityoptical media such as the DVD). The hard disk drive 1414, magnetic diskdrive 1416 and optical disk drive 1420 can be connected to the systembus 1408 by a hard disk drive interface 1424, a magnetic disk driveinterface 1426 and an optical drive interface 1428, respectively. Theinterface 1424 for external drive implementations comprises at least oneor both of Universal Serial Bus (USB) and IEEE 1294 interfacetechnologies. Other external drive connection technologies are withincontemplation of the subject embodiments.

The drives and their associated computer-readable media providenonvolatile storage of data, data structures, computer-executableinstructions, and so forth. For the computer 1400 the drives and mediaaccommodate the storage of any data in a suitable digital format.Although the description of computer-readable media above refers to aHDD, a removable magnetic diskette, and a removable optical media suchas a CD or DVD, it should be appreciated by those skilled in the artthat other types of media which are readable by a computer 1400, such aszip drives, magnetic cassettes, flash memory cards, cartridges, and thelike, can also be used in the example operating environment, andfurther, that any such media can contain computer-executableinstructions for performing the methods of the disclosed embodiments.

A number of program modules can be stored in the drives and RAM 1412,comprising an operating system 1430, one or more application programs1432, other program modules 1434 and program data 1436. All or portionsof the operating system, applications, modules, and/or data can also becached in the RAM 1412. It is to be appreciated that the variousembodiments can be implemented with various commercially availableoperating systems or combinations of operating systems.

A user can enter commands and information into the computer 1400 throughone or more wired/wireless input devices, e.g., a keyboard 1438 and apointing device, such as a mouse 1439. Other input devices 1440 caninclude a microphone, camera, an IR remote control, a joystick, a gamepad, a stylus pen, touch screen, biometric reader (e.g., fingerprintreader, retinal scanner, iris scanner, hand geometry reader, etc.), orthe like. These and other input devices are often connected to theprocessing unit 1404 through an input device interface 1442 that iscoupled to the system bus 1408, but can be connected by otherinterfaces, such as a parallel port, an IEEE 2394 serial port, a gameport, a USB port, an IR interface, etc.

A monitor 1444 or other type of display device can also be connected tothe system bus 1408 through an interface, such as a video adapter 1446.In addition to the monitor 1444, a computer 1400 typically comprisesother peripheral output devices (not shown), such as speakers, printers,etc.

The computer 1400 can operate in a networked environment using logicalconnections by wired and/or wireless communications to one or moreremote computers, such as a remote computer(s) 1448. The remotecomputer(s) 1448 can be a workstation, a server computer, a router, apersonal computer, portable computer, microprocessor-based entertainmentdevice, a peer device or other common network node, and typicallycomprises many or all of the elements described relative to thecomputer, although, for purposes of brevity, only a memory/data store1450 is illustrated. The logical connections depicted includewired/wireless connectivity to a local area network (LAN) 1452 and/orlarger networks, e.g., a wide area network (WAN) 1454. Such LAN and WANnetworking environments are commonplace in offices and companies, andfacilitate enterprise-wide computer networks, such as intranets, all ofwhich can connect to a global communications network, e.g., theinternet.

When used in a LAN networking environment, the computer 1400 isconnected to the local network 1452 through a wired and/or wirelesscommunication network interface or adapter 1456. The adapter 1456 canfacilitate wired or wireless communication to the LAN 1452, which canalso include a wireless access point disposed thereon for communicatingwith the wireless adapter 1456.

When used in a WAN networking environment, the computer 1400 can includea modem 1458, or is connected to a communications server on the WAN1454, or has other means for establishing communications over the WAN1454, such as by way of the internet. The modem 1458, which can beinternal or external and a wired or wireless device, is connected to thesystem bus 1408 through the input device interface 1442. In a networkedenvironment, program modules depicted relative to the computer, orportions thereof, can be stored in the remote memory/data store 1450. Itwill be appreciated that the network connections shown are exemplary andother means of establishing a communications link between the computerscan be used.

The computer is operable to communicate with any wireless devices orentities operatively disposed in wireless communication, e.g., aprinter, scanner, desktop and/or portable computer, portable dataassistant, communications satellite, any piece of equipment or locationassociated with a wirelessly detectable tag (e.g., a kiosk, news stand,restroom), and telephone. This comprises at least Wi-Fi and Bluetooth™wireless technologies. Thus, the communication can be a predefinedstructure as with a conventional network or simply an ad hoccommunication between at least two devices.

Wi-Fi, or Wireless Fidelity, allows connection to the internet from acouch at home, a bed in a hotel room, or a conference room at work,without wires. Wi-Fi is a wireless technology similar to that used in acell phone that enables such devices, e.g., computers, to send andreceive data indoors and out; anywhere within the range of a basestation. Wi-Fi networks use radio technologies called IEEE 802.11 (a, b,g, n, etc.) to provide secure, reliable, fast wireless connectivity. AWi-Fi network can be used to connect computers to each other, to theinternet, and to wired networks (which use IEEE 802.3 or Ethernet).Wi-Fi networks operate in the unlicensed 2.4 and 5 GHz radio bands andin accordance with, for example, IEEE 802.11 standards, or with productsthat contain both bands (dual band), so the networks can providereal-world performance similar to the basic “IOBaseT” wired Ethernetnetworks used in many offices.

Referring now to FIG. 15, illustrated is a schematic block diagram of amobile device 1500 (which can be, for example, UE 140, called party UE220, etc.) capable of connecting to a network in accordance with someembodiments described herein. Although a mobile device 1500 isillustrated herein, it will be understood that other devices can be amobile device, and that the mobile device 1500 is merely illustrated toprovide context for the embodiments of the various embodiments describedherein. The following discussion is intended to provide a brief, generaldescription of an example of a suitable environment 1500 in which thevarious embodiments can be implemented. While the description comprisesa general context of computer-executable instructions embodied on amachine-readable storage medium, those skilled in the art will recognizethat the various embodiments also can be implemented in combination withother program modules and/or as a combination of hardware and software.

Generally, applications (e.g., program modules) can include routines,programs, components, data structures, etc., that perform particulartasks or implement particular abstract data types. Moreover, thoseskilled in the art will appreciate that the methods described herein canbe practiced with other system configurations, comprisingsingle-processor or multiprocessor systems, minicomputers, mainframecomputers, as well as personal computers, hand-held computing devices,microprocessor-based or programmable consumer electronics, and the like,each of which can be operatively coupled to one or more associateddevices.

A computing device can typically include a variety of machine-readablemedia. Machine-readable media can be any available media that can beaccessed by the computer and comprises both volatile and non-volatilemedia, removable and non-removable media. By way of example and notlimitation, computer-readable media can comprise computer storage mediaand communication media. Computer storage media can include volatileand/or non-volatile media, removable and/or non-removable mediaimplemented in any method or technology for storage of information, suchas computer-readable instructions, data structures, program modules orother data. Computer storage media can include, but is not limited to,RAM, ROM, EEPROM, flash memory or other memory technology, CD ROM,digital video disk (DVD) or other optical disk storage, magneticcassettes, magnetic tape, magnetic disk storage or other magnetic datastores, or any other medium which can be used to store the desiredinformation and which can be accessed by the computer.

Communication media typically embodies computer-readable instructions,data structures, program modules or other data in a modulated datasignal such as a carrier wave or other transport mechanism, andcomprises any information delivery media. The term “modulated datasignal” means a signal that has one or more of its characteristics setor changed in such a manner as to encode information in the signal. Byway of example, and not limitation, communication media comprises wiredmedia such as a wired network or direct-wired connection, and wirelessmedia such as acoustic, RF, infrared and other wireless media.Combinations of the any of the above should also be included within thescope of computer-readable media.

The mobile device 1500 comprises a processor 1502 for controlling andprocessing all onboard operations and functions. A memory 1504interfaces to the processor 1502 for storage of data and one or moreapplications 1506 (e.g., a video player software, user feedbackcomponent software, etc.). Other applications can include voicerecognition of predetermined voice commands that facilitate initiationof the user feedback signals. The applications 1506 can be stored in thememory 1504 and/or in a firmware 1508, and executed by the processor1502 from either or both the memory 1504 or/and the firmware 1508. Thefirmware 1508 can also store startup code for execution in initializingthe mobile device 1500. A communications component 1510 interfaces tothe processor 1502 to facilitate wired/wireless communication withexternal systems, e.g., cellular networks, VoIP networks, and so on.Here, the communications component 1510 can also include a suitablecellular transceiver 1511 (e.g., a GSM transceiver) and/or an unlicensedtransceiver 1513 (e.g., Wi-Fi, WiMax) for corresponding signalcommunications. The mobile device 1500 can be a device such as acellular telephone, a PDA with mobile communications capabilities, andmessaging-centric devices. The communications component 1510 alsofacilitates communications reception from terrestrial radio networks(e.g., broadcast), digital satellite radio networks, and internet-basedradio services networks.

The mobile device 1500 comprises a display 1512 for displaying text,images, video, telephony functions (e.g., a Caller ID function), setupfunctions, and for user input. For example, the display 1512 can also bereferred to as a “screen” that can accommodate the presentation ofmultimedia content (e.g., music metadata, messages, wallpaper, graphics,etc.). The display 1512 can also display videos and can facilitate thegeneration, editing and sharing of video quotes. A serial I/O interface1514 is provided in communication with the processor 1502 to facilitatewired and/or wireless serial communications (e.g., USB, and/or IEEE1394) through a hardwire connection, and other serial input devices(e.g., a keyboard, keypad, and mouse). This supports updating andtroubleshooting the mobile device 1500, for example. Audio capabilitiesare provided with an audio I/O component 1516, which can include aspeaker for the output of audio signals related to, for example,indication that the user pressed the proper key or key combination toinitiate the user feedback signal. The audio I/O component 1516 alsofacilitates the input of audio signals through a microphone to recorddata and/or telephony voice data, and for inputting voice signals fortelephone conversations.

The mobile device 1500 can include a slot interface 1518 foraccommodating a SIC (Subscriber Identity Component) in the form factorof a card Subscriber Identity Module (SIM) or universal SIM 1520, andinterfacing the SIM card 1520 with the processor 1502. However, it is tobe appreciated that the SIM card 1520 can be manufactured into themobile device 1500, and updated by downloading data and software.

The mobile device 1500 can process IP data traffic through thecommunication component 1510 to accommodate IP traffic from an IPnetwork such as, for example, the internet, a corporate intranet, a homenetwork, a person area network, etc., through an ISP or broadband cableprovider. Thus, VoIP traffic can be utilized by the mobile device 1500and IP-based multimedia content can be received in either an encoded ordecoded format.

A video processing component 1522 (e.g., a camera) can be provided fordecoding encoded multimedia content. The video processing component 1522can aid in facilitating the generation, editing and sharing of videoquotes. The mobile device 1500 also comprises a power source 1524 in theform of batteries and/or an AC power subsystem, which power source 1524can interface to an external power system or charging equipment (notshown) by a power I/O component 1526.

The mobile device 1500 can also include a video component 1530 forprocessing video content received and, for recording and transmittingvideo content. For example, the video component 1530 can facilitate thegeneration, editing and sharing of video quotes. A location trackingcomponent 1532 facilitates geographically locating the mobile device1500. As described hereinabove, this can occur when the user initiatesthe feedback signal automatically or manually. A user input component1534 facilitates the user initiating the quality feedback signal. Theuser input component 1534 can also facilitate the generation, editingand sharing of video quotes. The user input component 1534 can includesuch conventional input device technologies such as a keypad, keyboard,mouse, stylus pen, and/or touch screen, for example.

Referring again to the applications 1506, a hysteresis component 1536facilitates the analysis and processing of hysteresis data, which isutilized to determine when to associate with the access point. Asoftware trigger component 1538 can be provided that facilitatestriggering of the hysteresis component 1538 when the Wi-Fi transceiver1513 detects the beacon of the access point. A SIP client 1540 enablesthe mobile device 1500 to support SIP protocols and register thesubscriber with the SIP registrar server. The applications 1506 can alsoinclude a client 1542 that provides at least the capability ofdiscovery, play and store of multimedia content, for example, music.

The mobile device 1500, as indicated above related to the communicationscomponent 1510, comprises an indoor network radio transceiver 1513(e.g., Wi-Fi transceiver). This function supports the indoor radio link,such as IEEE 802.11, for the dual-mode GSM mobile device 1500. Themobile device 1500 can accommodate at least satellite radio servicesthrough a handset that can combine wireless voice and digital radiochipsets into a single handheld device.

As used in this application, the terms “system,” “component,”“interface,” and the like are generally intended to refer to acomputer-related entity or an entity related to an operational machinewith one or more specific functionalities. The entities disclosed hereincan be either hardware, a combination of hardware and software,software, or software in execution. For example, a component can be, butis not limited to being, a process running on a processor, a processor,an object, an executable, a thread of execution, a program, and/or acomputer. By way of illustration, both an application running on aserver and the server can be a component. One or more components canreside within a process and/or thread of execution and a component canbe localized on one computer and/or distributed between two or morecomputers. These components also can execute from various computerreadable storage media comprising various data structures storedthereon. The components can communicate via local and/or remoteprocesses such as in accordance with a signal comprising one or moredata packets (e.g., data from one component interacting with anothercomponent in a local system, distributed system, and/or across a networksuch as the internet with other systems via the signal). As anotherexample, a component can be an apparatus with specific functionalityprovided by mechanical parts operated by electric or electroniccircuitry that is operated by software or firmware application(s)executed by a processor, wherein the processor can be internal orexternal to the apparatus and executes at least a part of the softwareor firmware application. As yet another example, a component can be anapparatus that provides specific functionality through electroniccomponents without mechanical parts, the electronic components cancomprise a processor therein to execute software or firmware thatconfers at least in part the functionality of the electronic components.An interface can comprise input/output (I/O) components as well asassociated processor, application, and/or API components.

Furthermore, the disclosed subject matter can be implemented as amethod, apparatus, or article of manufacture using standard programmingand/or engineering techniques to produce software, firmware, hardware,or any combination thereof to control a computer to implement thedisclosed subject matter. The term “article of manufacture” as usedherein is intended to encompass a computer program accessible from anycomputer-readable device, computer-readable carrier, orcomputer-readable media. For example, computer-readable media caninclude, but are not limited to, a magnetic data store, e.g., hard disk;floppy disk; magnetic strip(s); an optical disk (e.g., compact disk(CD), a digital video disc (DVD), a Blu-ray Disc™ (BD)); a smart card; aflash memory device (e.g., card, stick, key drive); and/or a virtualdevice that emulates a data store and/or any of the abovecomputer-readable media.

As it employed in the subject specification, the term “processor” canrefer to substantially any computing processing unit or devicecomprising single-core processors; single-processors with softwaremultithread execution capability; multi-core processors; multi-coreprocessors with software multithread execution capability; multi-coreprocessors with hardware multithread technology; parallel platforms; andparallel platforms with distributed shared memory. Additionally, aprocessor can refer to an integrated circuit, an application specificintegrated circuit (ASIC), a digital signal processor (DSP), a fieldprogrammable gate array (FPGA), a programmable logic controller (PLC), acomplex programmable logic device (CPLD), a discrete gate or transistorlogic, discrete hardware components, or any combination thereof designedto perform the functions described herein. Processors can exploitnano-scale architectures such as, but not limited to, molecular andquantum-dot based transistors, switches and gates, in order to optimizespace usage or enhance performance of UE. A processor also can beimplemented as a combination of computing processing units.

In the subject specification, terms such as “store,” “data store,” “datastorage,” “database,” “repository,” “queue”, “storage device,” andsubstantially any other information storage component relevant tooperation and functionality of a component, refer to “memorycomponents,” or entities embodied in a “memory” or components comprisingthe memory. It will be appreciated that the memory components describedherein can be either volatile memory or nonvolatile memory, or cancomprise both volatile and nonvolatile memory. In addition, memorycomponents or memory elements can be removable or stationary. Moreover,memory can be internal or external to a device or component, orremovable or stationary. Memory can comprise various types of media thatare readable by a computer, such as hard-disc drives, zip drives,magnetic cassettes, flash memory cards or other types of memory cards,cartridges, or the like.

By way of illustration, and not limitation, nonvolatile memory cancomprise read only memory (ROM), programmable ROM (PROM), electricallyprogrammable ROM (EPROM), electrically erasable ROM (EEPROM), or flashmemory. Volatile memory can comprise random access memory (RAM), whichacts as external cache memory. By way of illustration and notlimitation, RAM is available in many forms such as synchronous RAM(SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rateSDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), Synchlink DRAM (SLDRAM), anddirect Rambus RAM (DRRAM). Additionally, the disclosed memory componentsof systems or methods herein are intended to comprise, without beinglimited to comprising, these and any other suitable types of memory.

In particular and in regard to the various functions performed by theabove described components, devices, circuits, systems and the like, theterms (comprising a reference to a “means”) used to describe suchcomponents are intended to correspond, unless otherwise indicated, toany component which performs the specified function of the describedcomponent (e.g., a functional equivalent), even though not structurallyequivalent to the disclosed structure, which performs the function inthe herein illustrated example aspects of the embodiments. In thisregard, it will also be recognized that the embodiments comprise asystem as well as a computer-readable medium comprisingcomputer-executable instructions for performing the acts and/or eventsof the various methods.

Computing devices typically comprise a variety of media, which cancomprise computer-readable storage media and/or communications media,which two terms are used herein differently from one another as follows.Computer-readable storage media can be any available storage media thatcan be accessed by the computer and comprises both volatile andnonvolatile media, removable and non-removable media. By way of example,and not limitation, computer-readable storage media can be implementedin connection with any method or technology for storage of informationsuch as computer-readable instructions, program modules, structureddata, or unstructured data. Computer-readable storage media cancomprise, but are not limited to, RAM, ROM, EEPROM, flash memory orother memory technology, CD-ROM, digital versatile disk (DVD) or otheroptical disk storage, magnetic cassettes, magnetic tape, magnetic diskstorage or other magnetic data stores, or other tangible and/ornon-transitory media which can be used to store desired information.Computer-readable storage media can be accessed by one or more local orremote computing devices, e.g., via access requests, queries or otherdata retrieval protocols, for a variety of operations with respect tothe information stored by the medium.

On the other hand, communications media typically embodycomputer-readable instructions, data structures, program modules orother structured or unstructured data in a data signal such as amodulated data signal, e.g., a carrier wave or other transportmechanism, and comprises any information delivery or transport media.The term “modulated data signal” or signals refers to a signal that hasone or more of its characteristics set or changed in such a manner as toencode information in one or more signals. By way of example, and notlimitation, communications media comprise wired media, such as a wirednetwork or direct-wired connection, and wireless media such as acoustic,RF, infrared and other wireless media.

Further, terms like “user equipment,” “user device,” “mobile device,”“mobile,” station,” “access terminal,” “terminal,” “handset,” andsimilar terminology, can generally refer to a wireless device utilizedby a subscriber or user of a wireless communication network or serviceto receive or convey data, control, voice, video, sound, gaming, orsubstantially any data-stream or signaling-stream. The foregoing termsare utilized interchangeably in the subject specification and relateddrawings. Likewise, the terms “access point,” “node B,” “base station,”“evolved Node B,” “cell,” “cell site,” and the like, can be utilizedinterchangeably in the subject application, and refer to a wirelessnetwork component or appliance that serves and receives data, control,voice, video, sound, gaming, or substantially any data-stream orsignaling-stream from a set of subscriber stations. Data and signalingstreams can be packetized or frame-based flows. It is noted that in thesubject specification and drawings, context or explicit distinctionprovides differentiation with respect to access points or base stationsthat serve and receive data from a mobile device in an outdoorenvironment, and access points or base stations that operate in aconfined, primarily indoor environment overlaid in an outdoor coveragearea. Data and signaling streams can be packetized or frame-based flows.

Furthermore, the terms “user,” “subscriber,” “called party,” “consumer,”and the like are employed interchangeably throughout the subjectspecification, unless context warrants particular distinction(s) amongthe terms. It should be appreciated that such terms can refer to humanentities, associated devices, or automated components supported throughartificial intelligence (e.g., a capacity to make inference based oncomplex mathematical formalisms) which can provide simulated vision,sound recognition and so forth. In addition, the terms “wirelessnetwork” and “network” are used interchangeable in the subjectapplication, when context wherein the term is utilized warrantsdistinction for clarity purposes such distinction is made explicit.

Moreover, the word “exemplary,” where used, is used herein to meanserving as an example, instance, or illustration. Any aspect or designdescribed herein as “exemplary” is not necessarily to be construed aspreferred or advantageous over other aspects or designs. Rather, use ofthe word exemplary is intended to present concepts in a concretefashion. As used in this application, the term “or” is intended to meanan inclusive “or” rather than an exclusive “or”. That is, unlessspecified otherwise, or clear from context, “X employs A or B” isintended to mean any of the natural inclusive permutations. That is, ifX employs A; X employs B; or X employs both A and B, then “X employs Aor B” is satisfied under any of the foregoing instances. In addition,the articles “a” and “an” as used in this application and the appendedclaims should generally be construed to mean “one or more” unlessspecified otherwise or clear from context to be directed to a singularform.

In addition, while a particular feature may have been disclosed withrespect to only one of several implementations, such feature can becombined with one or more other features of the other implementations asmay be desired and advantageous for any given or particular application.Furthermore, to the extent that the terms “have”, “having”, “includes”and “including” and variants thereof are used in either the detaileddescription or the claims, these terms are intended to be inclusive in amanner similar to the term “comprising.”

The above descriptions of various embodiments of the subject disclosureand corresponding figures and what is described in the Abstract, aredescribed herein for illustrative purposes, and are not intended to beexhaustive or to limit the disclosed embodiments to the precise formsdisclosed. It is to be understood that one of ordinary skill in the artcan recognize that other embodiments comprising modifications,permutations, combinations, and additions can be implemented forperforming the same, similar, alternative, or substitute functions ofthe disclosed subject matter, and are therefore considered within thescope of this disclosure. Therefore, the disclosed subject matter shouldnot be limited to any single embodiment described herein, but rathershould be construed in breadth and scope in accordance with the claimsbelow.

What is claimed is:
 1. A device, comprising: a processor; and a memorythat stores executable instructions that, when executed by theprocessor, facilitate performance of operations, comprising: detecting acall from a communication device and directed to a call destination,determining whether the call is a spoofed call by determining whether auser equipment associated with a caller identification number of thecall is in an idle state, in response to the determining indicating thatthe user equipment is in the idle state, taking a preventative actionrelating to the call, using an indicator associated with the call,determining a first geographic area associated with a service networkvia which the call has originated, determining a second geographic areabased on an examination of an area code of the caller identificationnumber, and in response to determining that the second geographic areais not consistent with the first geographic area based on a result ofcomparing the first geographic area with the second geographic area,facilitating blocking of the call.
 2. The device of claim 1, wherein thedetermining whether the user equipment is in the idle state comprises:transmitting a message to a network device that services the userequipment, wherein the message is a query to the network device for astate of the user equipment.
 3. The device of claim 2, wherein thetransmitting the message comprises transmitting the message using asession-initiated protocol.
 4. The device of claim 2, wherein theservice network is a first service network operated by a first serviceprovider entity, and wherein the network device resides in the firstservice network, and wherein the call destination is associated with asecond service network operated by a second service provider entity. 5.The device of claim 4, wherein the first service network comprises aninternet protocol network.
 6. The device of claim 4, wherein theoperations further comprise querying the first service network todetermine whether the caller identification number is registered withthe first service network.
 7. The device of claim 6, wherein theoperations further comprise, in response to determining that the calleridentification number is not registered with the first service network,facilitating blocking the call.
 8. The device of claim 1, wherein theoperations further comprise, allowing the call to connect to the calldestination in response to the call being determined not to be thespoofed call.
 9. A method, comprising: receiving, by a network devicecomprising a processor, a call from a communication device directed to acall destination; identifying, by the network device, whether the callis a spoofed call, wherein the identifying comprises: facilitatingtransmitting a message to a network element that services a userequipment associated with a caller identification number of the call,wherein the message is a query to the network element for a state of theuser equipment, and receiving a response from the network elementindicating that the user equipment is in an idle state; in response tothe identifying indicating the call is the spoofed call, preventing, bythe network device, the call from connecting to the call destination;using an indicator associated with the call, determining, by the networkdevice, a first geographic area associated with a service network fromwhich the call originates; determining a second geographic area based onan examination of an area code of the caller identification number; andin response to determining that the second geographic area is notconsistent with the first geographic area by comparing the firstgeographic area with the second geographic area, facilitating, by thenetwork device, a blocking of the call.
 10. The method of claim 9,wherein the transmitting the message comprises transmitting the messageusing a session-initiated protocol.
 11. The method of claim 9, whereinthe service network is a first service network operated by a firstservice provider entity, and wherein the network element is associatedwith the first service network, and the call destination is associatedwith a second service network operated by a second service providerentity.
 12. The method of claim 11, wherein the first service networkcomprises an internet protocol network.
 13. The method of claim 11,further comprising: facilitating, by the network device, querying thefirst service network to determine whether the caller identificationnumber is registered with the first service network; and in response todetermining that the caller identification number is not registered withthe first service network, facilitating, by the network device, blockingof the call.
 14. A machine-readable storage medium comprising executableinstructions that, when executed by a processor of a network device,facilitate performance of operations, comprising: receiving a call froma communication device directed to a call destination; identifyingwhether the call is spoofed call, wherein the identifying comprisesreceiving a response from a network element that services a userequipment associated with the caller identification number of the call,the response indicating that the user equipment is in an idle state; inresponse to identifying the call as the spoofed call, facilitatingpreventing the call from connecting to the call destination; using anindicator associated with the call, determining a first geographic areaassociated with a first service network through which the call has beenrouted; determining a second geographic area based on an examination ofan area code of the caller identification number; and in response to thedetermining that the second geographic area is not consistent with thefirst geographic area, facilitating blocking the call.
 15. Themachine-readable storage medium of claim 14, wherein the identifyingfurther comprises determining whether the call is consistent with acharacteristic determined from the caller identification number of thecall, and in response to the determining whether the call is consistentwith the characteristic indicating that the first service network isconsistent with the characteristic, transmitting a message to thenetwork element, wherein the message queries the network element for astatus of the user equipment.
 16. The machine-readable storage medium ofclaim 14, wherein the identifying further comprises: transmitting amessage to the network element that services the user equipment, whereinthe message is a query to the network element for a state of the userequipment.
 17. The machine-readable storage medium of claim 14, whereinthe network element resides in the first service network operated by afirst service provider entity, and wherein the call destination isassociated with a second service network operated by a second serviceprovider entity.
 18. The machine-readable storage medium of claim 17,wherein the first service network comprises an internet protocolnetwork.
 19. The machine-readable storage medium of claim 15, whereinthe determining whether the call is consistent with a characteristicdetermined from the caller identification number of the call furthercomprises: querying the first service network to determine whether thecaller identification number is registered with the first servicenetwork; and in response to determining that the caller identificationnumber is not registered with the first service network, performing thefacilitating of the blocking of the call.
 20. The machine-readablestorage medium of claim 16, wherein the transmitting the messagecomprises transmitting the message using a session-initiated protocol.